Secure Reality Pty Ltd. Security Advisory #6 (SRADV00006)
Remote command execution vulnerabilities in phpGroupWare
You can view a plain text version of this advisory here
Released
6/11/2000
Vulnerable
Versions below 0.9.7 under Unix
Overview
phpGroupWare is a multi-user web based groupware suite written in PHP.
phpGroupWare is quite popular due to its integration of many aspects of
group cooperation: email, calendaring, file sharing, to do lists, etc.
phpGroupWare makes insecure calls to the include() function of PHP which
can allow the inclusion of remote files, and thereby the execution of
arbitrary commands on the remote web server with the permissions of the
web server user, usually 'nobody'
Impact
Remote command execution (with privileges as above)
Detail
This is an excellent example of another aspect of the remotely accessible
include files issue that has been discussed in detail recently. The discussion
has centered around the sensitive information that can be contained in
include files and the fact that include files generally have the extension
'inc' and thus, if web accessible, are returned to the requestor in plain
text.
A common solution amongst freely available php scripts is to give include
files the extension .inc.php. This causes the include file to always be
processed by the PHP interpreter and therefore not return in plain text
sensitive configuration information, like database passwords. Thus these
programs can have easy installation (untar everything into the web space)
without worrying about configuration disclosure.
The problem however then becomes one of context. Code and configuration
variables in include files tend to be highly interdependent, that is,
certain files and data must have already been included before including
a particular file. By directly requesting the files we can break the interdependence
chain and cause data the include files could normally trust to become
untrustworthy.
Which leads us to the phpGroupWare vulnerability. We can directly request
the library include files that make up the phpGroupWare API, one of these
files, phpgw.inc.php performs an include based on variables that should
have been set as part of the call chain. By providing them ourselves we
can determine the initial part of the following include statement:
For example, if I had access to place files in a webspace http://evilhost.com/~shaun/
I would create a directory "phpgwapi" and place inside it a script called
phpgw_info.inc.php with content like the following:
If we then make a request to the target machine like the following:
It should be noted there are some caveats to this attack:
- The remote web server must be able to retrieve the file, i.e no firewalls
in the way
- The remote web server must not be running PHP under Windows since remote
file includes are not supported on this platform
- The remote web server must be running a sufficiently recent version
of PHP that [][] form variables are allowed
- The remote web server must not have allow_url_fopen set off - Later
versions of phpGroupWare check the variable
$phpgw_info["server"]["header_version"] in phpgw.inc.php, for those versions
we need to provide that via form variables too
There may well be others based on other versions/configurations of PHP.
Fix
Please upgrade to the latest version of phpGroupWare (0.9.7) at
http://sourceforge.net/project/showfiles.php?group_id=7305
Acknowledgements
Our thanks to all of the developers of phpGroupWare, in particular Dan
Kuykendall, for their assistance in quickly correcting this issue.
Disclaimer
Advice, directions and instructions on security vulnerabilities in this
advisory do not constitute: an endorsement of illegal behavior; a guarantee
that protection measures will work; an endorsement of any product or solution
or recommendations on behalf of Secure Reality Pty Ltd. Content is provided
as is and Secure Reality Pty Ltd does not accept responsibility for any
damage or injury caused as a result of its use.
